Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Announcing Public Preview of App Governance
Published Jul 14 2021 08:00 AM 20.2K Views
Microsoft

We are excited to announce the public preview of app governance: a security and policy management capability that customers can use to monitor and govern app behaviors and quickly identify, alert, and protect from risky behaviors with data, users, and apps. App governance is designed for OAuth-enabled apps that access Microsoft 365 data via Microsoft Graph APIs.  

 

App governance provides you with:

  • Deep visibility & insights: Get deeper visibility into apps that access Microsoft 365 data and actionable insights on how the app is configured and behaving in the environment.
  • Policy-driven governance: Proactively define and enforce appropriate app behavior with data, users, and other apps, in accordance with your organization’s security and compliance posture for data access.
  • Comprehensive detection and remediation: Detect anomalous app behavior with machine-learning models, address issues with automated and manual remediation actions

 

App governance is cloud-based and native to the Microsoft 365 platform, so there’s no need to deploy additional infrastructure or services. This provides a simplified onboarding and management experience that can be quickly deployed in customer environments.

 

App governance is an add-on capability to Microsoft Cloud App Security. Microsoft Cloud App Security is a Cloud Access Security Broker (CASB) used to discover and assess cloud apps, identify risky user behavior, enforce policies to control activity, and detect and remediate threats.

 

 

Increasing Risks from Apps

Microsoft’s security and threat research teams have broadly observed an uptick of security incidents involving apps, both in terms of frequency and impact. These incidents span a wide range, including malicious apps engaging in, as well as good but vulnerable apps being exploited by bad actors.

 

This situation is exasperated by a lack of good app/API hygiene, inadequate governance capabilities, and a lack of oversight on app permissions. Many apps are over-permissioned – meaning the scope of permission is beyond what is required by the app to accomplish its intended use- and highly-permissioned – meaning the type and level of access include sensitive information and high-value users that are not required.

 

Apps are emerging as one of the most dangerous threat vectors due to their low bar to entry and administrators have a heightened need for visibility and insights on the usage and activity of all apps installed in their organization.

 

Currently, customers deploy two broad solution types to control and protect from 3rd party and Line of Business (LOB) cloud apps:

  • App Access: these are solutions (like Azure Active Directory) that register your apps, manage access rights and permissions for your apps and define which users can access which app.
  • App Usage: these are solutions (like Microsoft Cloud App Security) that discover and assess cloud apps, identify risky user behavior in apps, enforce policies to control activity, and detect and remediate threats.

 

Customers have expressed a need to verify that each app is behaving as intended with data, users, and the apps it has been granted access to.  If an app behaves in a manner that is not approved, customers need a solution to quickly detect issues and remediate them. Inappropriate app behaviors can range from security incidents that are categorically identified as bad and need to be addressed immediately to activities that fall within a tolerance level that requires additional review to assess malicious intent.  This requires a deep understanding of the App Behavior within the environment – app governance provides this new capability and builds upon the existing app access and app usage solutions.

 

 

Deep visibility and insights

App governance provides a deep and intuitive dashboard experience that is familiar to administrators. The tenant summary view provides:

  • A high-level summary of the third-party and Line of Business apps in your Microsoft 365 tenant.
  • Alerts based on the violation of any pre-configured policy and/or detection of any anomalous app behavior.
  • Quick insights into apps that do not use one or more permissions they have been granted (Over-permissioned).
  • Apps that have powerful permissions that allow data access or a key setting in the tenant (High privileged).
  • Apps that do not have a verified publisher (Unverified).

 

This approach helps administrators focus on the most important aspects impacting the overall health and security of their app environment and quickly address outstanding issues. (See Figure 1: Dashboard View Providing at-a-Glance Insights into Deployed App Risks)

 

Figure 1 - Dashboard View.png

Figure 1: Dashboard view provides at-a-glance insights into deployed apps and app risks

 

App governance supports comprehensive app review and investigations capabilities with deep details of the app including full app metadata information, users of the app and if they are high-value users in key roles such as CEO/CFO/others, the amount and type of data accessed by the app over time, granted app permissions and level of app access, information on whether the publisher is verified and/or Microsoft Certified and, the latest remediation action taken on the app.

 

This depth of insight is critical to verify that deployed apps are behaving as intended with the data and users it has been granted access to upon onboarding and to validate that apps are operating in accordance with compliance requirements.  (See Figure 2 : Data Usage View Highlights Key App Behavior Trends)

 

Figure 2 - Data Usage view.png

Figure 2: Data usage view highlights key app behavior trends

 

This approach can also help simplify the app onboarding approval process by verifying that apps’ behaviors meet expectations before being broadly deployed. This can also provide a rapid review for apps that are updated by the app publisher to ensure that the capabilities provided by the updated app remain consistent with expectations.

 

 

Policy-Driven Governance

Organizations can define proactive policies and establish acceptable app behaviors in their environment. App governance provides three template categories and 5 different starter templates covering typical high-risk app behavior patterns including high-volume data access and apps newly added with high-privileged permissions. Policy templates provide a simplified starting point to create powerful and flexible app governance that can be configured to meet an organization’s individual app governance enforcement requirements. (Figure 3: Using Policy Templates for Rapid Policy Deployment)

Figure 3 - Using Policy templates for rapid policy deployments.png

Figure 3: Using policy templates for rapid policy deployment

 

In addition, app governance provides sixteen app behavior activity indicators (predicates) that can be used to create custom app governance policies to address specific compliance requirements and/or to enforce low-level risk mitigation controls or even define actions to preempt threats to sensitive apps when a condition occurs that could lead to the exploitation of an app.

 

Policies can be configured to run in Audit (test), Active or Inactive mode and can have automated remediation action to disable the app while in Active mode.

 

 

Comprehensive Detection and Remediation

App governance offers comprehensive detection of anomalous app behavior that includes machine learning models and policy matching. When an anomalous app behavior pattern is detected, an alert is sent to notify the administrators with all the relevant details that they need to take remediation actions quickly and confidently.

 

App governance offers a range of automated and manual remediation actions for common and emerging advanced persistent threat scenarios including:

  • Adversaries using apps intended for malicious purposes (consent-based phishing).
  • Adversaries taking over apps that are in good standing with high privileges (usually line of business apps developed by citizen developers).

 

The app governance threat research team and data scientists use a wide variety of data streams and signals, analysis of the known attack vectors and techniques (MITRE ATT&CK and others), machine learning models and triangulated data insights from a wide variety of sources to build detections of anomalous app behaviors. Microsoft is constantly developing and adding new detection capabilities and improving the efficiency of the existing models built on top of intelligence platforms

 

App governance provides fine-grain remediation integrated with Azure Active Directory, offering configurable actions (automated/manual) to protect from risky or inappropriate app activity and to improve the security posture of the app environment.

 

To provide customers with a comprehensive way to handle alerts and incident response across different security and compliance products from Microsoft, all app governance alerts are integrated into Microsoft Defender.

 

 

Get Started

App governance is an add-on feature for Microsoft Cloud App Security and is initially available as a public preview to existing Microsoft Cloud App Security customers in certain regions of North America and Europe with other regions being added gradually the next few months.

 

Additional resources

App governance is part of a broad and comprehensive set of capabilities to protect your environment from cloud app-related threats.

 

 

Thank you,

Microsoft 365 Team

 

19 Comments
Brass Contributor

The "Microsoft Cloud App Security" came together with some version of MS 365, like E3 or E5?

Silver Contributor

@Renato Pereira yes, MCAS is included in M365 E5, see Microsoft 365 licensing guidance for security & compliance - Service Descriptions | Microsoft Docs

 

@EricEOuellet is there any way to do something similar in Azure AD for organizations that don't have MCAS?

So help me understand the logic here, it's a prominent attack vector but instead of providing us with OOTB tools to understand App usage you're requiring an add-on on top of the already expensive MCAS license? Don't get me wrong, some of the new stuff you're exposing here (data usage, API calls) is quite useful, but its applicability goes well beyond the security aspect. And I suppose you have no plans of exposing any of this via Graph or other endpoints? :)

 

Copper Contributor

This looks like a valuable add on to Microsoft Cloud App Security.  I have enabled the service in MCAS without error however I am not seeing any data.  I believe I have the correct licensing (M365 E5) and the correct roles (Application admin). I have reviewed the Microsoft articles but there is limited details.   I am wondering if it hasn't been fully rolled out to me yet....  What am I missing?

Copper Contributor

I can't find the App Governance Trial "Add-On" in the Admin Center - is this still rolling out or should this be available for all Tenants?

 

Tried it with Global Admin and without, no Luck so far.

Microsoft

@Vasil Michev - thanks for the feedback. Exposing this functionality via Graph API is in our feature roadmap, so more to come!

@JCSBCH123 - in addition to enabling in MCAS, you also need to activate the trial license. If you have not already, please activate the trial here

@CJHarms - if your billing address is not in an eligible region (full list of eligible regions here) you are not currently able to activate the trial license

Copper Contributor

@WendyLiu Ah okay - not supported in Germany (yet). Thanks for the Information.

Copper Contributor

@WendyLiu Thank you for the link.  I tried to use the link to activate the trial and I get an error " The offer that you want is unavailable".  Error code 0.  When I try to access it from compliance.microsoft.com/appgovernance I get a message "Access denied due to either not onboarded or inappropriate roles".  

Microsoft

@JCSBCH123 is your billing address in one of the eligible regions listed here? It might be the same issue that CJHarms experienced

Copper Contributor

@WendyLiu well our billing address is in Canada but I thought we onboarded MCAS to the US as I don't remember having the option to select Canada.  Oh well I guess we just wait.  Thanks.

Steel Contributor

Can someone clarify a licensing requirement. According to the article any of the following is required:

JonasBack_0-1637066897737.png

One of my customers has EMS E5 and according to https://aka.ms/mcaslicensing

EMS E5 includes all CASB capabilities


Will App Governance be included for them?

Silver Contributor

From everything I can tell, App Governance is being provided as an add-on to MDC (Defender for Cloud App) and won't require any additional cost. 

MDC is available as a stand-alone product or is included in all of the level 5 SKUs shown in the list above. 

And just like everyone else that I have ever met, I am NOT a licensing specialist :)

Steel Contributor

Let's ask @EricEOuellet or @WendyLiu if App Governance is included in EMS E5 :)

Microsoft

Hi @Jonas Back and @Dean Gross - app governance is an additional add on license on top of any of the E5, A5, or Defender for Cloud Apps licenses listed here. So you will need one of those prerequisite licenses before you can activate a free trial or buy a paid subscription to app governance

Silver Contributor

@WendyLiu thanks for the clarification, that is really bad news. I am very disappointed that this will be an additional cost for our clients. 

Steel Contributor

@WendyLiu I suggest you clarify this in the article because this is what it says now:

JonasBack_0-1637101430143.png

This is simply not true. I will not be able to access and use App Governance with those licenses. A better wording is in your other article here.

JonasBack_1-1637101605516.png

 

In any case, I agree with others that it's sad this requires an additional add-on license on the already expensive E5/MCAS license. I checked some pricelists we have and I see that Microsoft Cloud App Security - App Governance is already added to the November price list. The ERP price is $4.

Steel Contributor

It's £3 in the UK. Another optional product no one will ever use... Should be included in the main product.

Copper Contributor

So, if I understand correctly this license is only required for the account that has access to Cloud app management portal and none of Org. users?

Microsoft

Hi @LauriK000 to use app governance in compliance with the terms of service, purchase the per user per month add-on license for each protected user. Each protected user must have both the app governance add-on license and a license that includes Defender for Cloud Apps (i.e., E5, MDA standalone)

Version history
Last update:
‎Jul 23 2021 12:52 PM
Updated by: